this is more Intel SCS -RCS service related question:
- SCCM requires AD integration - Intel RCS runnig as Network Service account will require permissions for AD additional OU created for AMT ME objects to be able to create and delete child computer objects (so you will grant propper delegation to this OU to RCS computer account)
- SCCM requires TLS AMT setup - RCS will request AMT TLS certificate to be issued automatically for each Intel vPro/AMT based system by your PKI CA (certs CA CAN'T be put to pending!).
so RCS service running as Network Service Account (RCS Server Computer account) will need to be authorised for specified AMT TLS certificate template Read and Enroll
For Standalone CA - access to CA will be required for RSC service account.
- if Remote Configuration PKI certificate based method will be used to configure Intel AMT - AMT Remote Configuration certificate (the one you will order from Godaddy, Verisign or any other of 15 Public CA supported by default Intel ME FW) will have to be placed in RCS service Personal Cert store - so either in RCS Computer cert store or using RCSutils tool.
If only Host Based Configuration will be used - Intel RCS is not required, although it can be still used for central secure store of AMT Configuration profiles.
ACUConfig will be executed by SCCM agent -so in Local Computer account context
As in Host Based Configuration case it will be ACUConfid.exe component which will create AD ME objects and request AMT TLS certs from your CA - then same access shall be granted to all Intel vPro /AMT based computer accounts to AMT additional OU and AMT TLS certificate template - easiest way will be to grant it to Domain Computers.
In Host Based Configuration AMT RCFG cert is not used at all so no need to purchase it neither import to any certificate store.